13 March 2017

In this Blog post I'll show you how to use Username/Password authentication with a Talend ESB WebService (based on CXF) running inside a Karaf runtime. First with a UsernameToken inside the SOAP Header and second by using BasicAuthentication.

06 February 2017

Working with Kerberos can easily cause a lot of trouble. Troubleshooting can take several hours.
In this blog I'll show you what will help you best when using Kerberos with Java for example to secure a Hadoop cluster.

When Kerberos is not working as expected it is important to understand why. Enabling Kerberos debug logging is a very valuable resource to understand what is happening.
To enable Kerberos debugging you need to set the following JVM property:

-Dsun.security.krb5.debug=true

Now read your log file very carefully. This will help you to understand what is missing.

Usually you will define your Kerberos configuration within your C:\Windows\krb5.ini or /etc/krb5.conf file. Make sure that your hostname mapping to your Kerberos realm is correct in here.
There are also a few other JVM properties that are usually not required, but can be useful to override/define your configuration at application startup:

Here are some more shell commands that are very helpful to test if Kerberos is working in general (outside of your Java application):

# Login with a specific keytab file
kinit -k -t /path/to/your/keytab
# List all local available tokens. After kinit there should be at least your tgt token.
klist
# Request a ticket for a specific service. Check if the service is registered correctly at your Kerberos server.
kvno service/hostname@domain

About Me

I am a technical consultant working for Talend in the application integration (ESB) department. I enjoy focusing on security related topics at the most. I'm a committer for Apache CXF and Apache Syncope. The views expressed on this site are mine alone and do not necessarily reflect the views of my employer.

Disclaimer

I hope this content helps you to better understand some topics. All content of this blog is created to my best knowledge. I don't claim to know everything and to be error free. Therefore you must use any information on this page at your own risk.If you find errors please leave me a note in the comments and I'll do my best to take care of it.